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[  FROM  THE  editor] 


To  Lead  or 
to  Follow? 


Is  it  really  best  to  be  on  the  leading  edge? 

Or  is  it  better  to  be  a  fast  follower?  (Note:  If 
that’s  your  strategy,  make  sure  you  really 
are  fast.) 

This  is  an  age-old  strategy  question 
relevant  to  a  wide  array  of  markets.  And  it’s 
equally  relevant  to  security  professionals,  in 
the  contexts  of  both  their  organizations  and 
their  own  careers. 

Let’s  define  leading-edge  security  pros  as 
those  who  try  relatively  untested  ideas,  tools, 
approaches. 

On  the  plus  side,  this  strategy  may  provide 
your  company  with  a  competitive  advantage  in 
your  industry.  It  can  give  you  a  better  ability  to 
work  with  your  vendors  to  help  shape  products 
and  services  that  meet  your  specific  needs 
and  priorities.  It  may  offer  you  more  creative 
and  stimulating  work,  and  the  ability  to  retain 
creative  staffers. 

The  obvious  downside  of  a  leading-edge 
approach  is  that  you  will  spend  time  and 
money  on  ideas  that  don’t  pan  out.  You  and 
your  ideas  are  an  easy  target  for  criticism,  and 
that  criticism  won’t  always  be  unwarranted. 
Some  of  your  ideas  may  be  simply  wrong. 

So  leading-edgers  tend  to  get  either  the 
glory  or  the  pink  slip.  You  have  to  decide  two 
things:  One,  are  you  confident  enough  in  your 
new  ideas  to  bet  the  farm?  And  two,  does  your 
risk  appetite  match  that  of  your  organization? 

While  most  of  us  make  those  decisions 
based  on  our  individual  situations,  there 
is  also  a  macro  question  to  be  addressed. 
Namely,  without  risk  takers,  how  can  the 
entire  profession  move  forward? 


This  question-whether  to  be  on  the 
leading  edge  or  hang  back  as  a  fast  follower- 
is  important  to  me  in  my  job,  as  I  set  the 
editorial  strategies  for  CSO  magazine  and 
CSOonline.com  (and  those  strategies  are 
related  but  not  the  same).  Should  we  simply 
run  security  news  and  product  announce¬ 
ments?  You  can  make  a  profitable  business 
that  way,  and  most  do.  Or  should  we  aspire  to 
something  more?  Personally,  I  think  reactive 
security  coverage  is  important,  but  ultimately 
it  doesn’t  move  the  profession  forward. 

To  keep  up  with  the  rapid  evolution  in 
the  attack  space,  I  think  the  defenders  need 
to  continually  examine  new  strategic  ideas, 
processes  and  organizational  models. 


I  hope  you  find  that  CSO  contributes  to  that 
process.  In  the  online  version  of  this  column 
(http://www.csoonline.com/article/689914) 

I’ll  link  to  some  articles  where  I  believe  we’ve 
done  exactly  that. 

-Derek  Siater,  dslater@cxo.com 
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[  FROM  THE  PUBLISHER  ] 


Storm  Brewing 

This  summer  I  embarked  on  my  annual 
vacation  with  my  wife  and  daughter.  As 
usual,  we  spent  a  day  packing  the  ever¬ 
present  SUV  with  what  looked  like  three 
months  worth  of  supplies  and  headed  to  a 
favorite  island  of  ours  for  a  week  of  relaxation. 

I  always  cherish  this  week  as  a  way  to  get 
away  from  the  world  of  security.  I  get  to  stay 
in  one  place  for  a  week.  I  get  to  read.  There’s 
no  missed  flights  or  TSA  screenings.  No  rental 
cars  or  meals  on  the  fly.  No  conference  calls. 
And,  to  the  guarded  chagrin  of  my  wife,  only 
an  occasional  peek  at  email. 

I’ve  followed  this  routine  for  many  years 
with  only  a  few  exceptions.  I’m  the  kind  of 
person  who  embraces  routine  for  the  comfort 
it  brings.  But  this  year  was  different. 

We  still  went  to  the  beach  nearly  every  day. 
Dined  at  some  great  restaurants.  Drank  far 
too  much.  But  this  year’s  vacation  included  an 
event  I  really  did  not  plan  for  when  I  booked 
the  trip  last  fall:  Irene.  As  our  vacation  neared 
and  our  anticipation  grew,  so  did  the  news 
coverage  of  Hurricane  Irene,  whose  path  was 
quickly  converging  with  ours. 

Now,  I’ve  lived  through  my  share  of  tropi¬ 
cal  storms  and  hurricanes  over  the  years.  It’s 
a  given  when  you  live  in  coastal  New  England. 
We  learned  young  to  make  a  beeline  for  the 
supermarket  to  stock  up  on  bread,  milk  and 
batteries-those  staples  are  drilled  into  every 
child’s  head  growing  up  in  New  England. 

(When  you  reach  adulthood,  you  learn  that  you 
are  also  supposed  to  stock  up  on  booze.) 

We  were  certainly  never  told  to  get  on  a 
boat,  go  to  an  island,  and  ride  out  the  storm. 

As  it  turned  out,  Irene  (at  least  on  our 
island)  was  a  bit  of  a  bust.  Lots  of  wind,  a  little 
rain,  plenty  of  Dark  ’n’  Stormy  cocktails  (recipe 
for  that  concoction  available  upon  request). 
The  sun  was  even  out  for  most  of  it. 


But  watching  the  way  people  got  ready 
for  Irene  was  a  great  study  of  human  nature. 
Some  people  prepared  with  the  determination 
of  Patton’s  army,  leaving  nothing  to  chance: 
windows  taped,  supplies  stocked,  boats  pulled 
out  of  the  harbor,  insurance  paid  up,  wills 
updated.  Others  bought  a  case  of  beer  and 
threw  a  party. 

If  that’s  not  a  great  metaphor  for  the  dif¬ 
fering  approaches  businesses  take  to  dealing 
with  risk,  I  don’t  know  what  is.  Some  watch 
the  horizon  and  prepare  for  everything  that 
can  hurt  them.  Some  sit  back,  certain  in  their 
belief  that  it  will  all  be  OK. 

And  most  of  the  time  everything  is  OK,  but 
every  now  and  then  that  person  with  the  case 
of  beer  is  swept  out  to  sea.  And  sometimes 
the  person  who  diligently  stocked  up  and 


prepared  for  the  worst  actually  has  to  face 
the  worst. 

But  most  times  not.  As  a  security  profes¬ 
sional,  your  job  is  to  be  a  little  bit  of  each  type: 
Stock  up  and  prepare...but  also  buy  that  case 
of  beer  and  hope  for  the  best. 

-Bob  Bragdon,  bbragdon@cxo.com 
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what’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Labor  Board 
Issues  Memo 
on  Social 
Media  Cases 

CSOs  can  catch  up  on  the  current 
state  of  the  law  concerning 
employees’  social  media  usage 

Realizing  the  confusion  in 
the  area  of  employee  use  of 
social  media,  the  acting  gen¬ 
eral  counsel  of  the  National 
Labor  Relations  Board  issued 
a  memo  in  August  discussing  the  current 
state  of  the  law.  The  introduction  provides 
the  reasoning  for  the  memo: 

“This  report  presents  recent  case  devel¬ 
opments  arising  in  the  context  of  today’s 
social  media.  Social  media  include  various 


online  technology  tools  that  enable  people 
to  communicate  easily  via  the  internet  to 
share  information  and  resources.  These 
tools  can  encompass  text,  audio,  video, 
images,  podcasts,  and  other  multimedia 
communications.  Recent  developments 
in  the  Office  of  the  General  Counsel  have 
presented  emerging  issues  concerning 
the  protected  and/or  concerted  nature  of 
employees’  Facebook  and  Twitter  postings, 
the  coercive  impact  of  a  union’s  Facebook 
and  YouTube  postings,  and  the  lawfulness 
of  employers’  social  media  policies  and 
rules.  This  report  discusses  these  cases,  as 
well  as  a  recent  case  involving  an  employer’s 
policy  restricting  employee  contacts  with 
the  media.  All  of  these  cases  were  decided 
upon  a  request  for  advice  from  a  Regional 
Director.” 

Businesses  have  been  struggling  with 
developing  policies  and  approaches  to 
the  issues  presented  by  social  media  in 
the  workplace.  For  those  businesses,  this 
report  is  required  reading.  It  provides 
one-stop  shopping  for  the  current  state  of 


the  law  in  this  area.  The  complete  report 
can  be  found  at:  https://www.nlrb.gov/news/ 
acting-general-counsel-releases-report-social- 
media-cases.  —Michael  Overly 

BLOG  POST 

John  Strand 
Slapped  Me 
in  the  Face 

Chad  McDonald  finds  a  valuable 
defense  course  is  more  like 
Home  Alone  thdiU  martial  arts 

recently  had  the  opportunity  to  par¬ 
ticipate  in  a  course  entitled  “Offen¬ 
sive  Countermeasures,”  taught  by 
John  Strand  of  PaulDotCom.  It  was 
my  belief  going  into  the  class  that  I 
would  be  honing  some  “leet  skillz”  to  beat 
back  the  attackers  persistently  targeting  the 
resources  that  I  was  hired  to  protect.  I  envi¬ 
sioned  an  electronic  Daniel  Larusso  learn¬ 
ing  some  mystical  techniques  to  fend  off  the 
digital  Cobra  Kai.  Far  from  my  fantasy  of  a 
cyber  Karate  Kid,  the  course  is  more  aligned 
with  Home  Alone. 

Your  first  impression  may  be  that  my 
Home  Alone  comparison  is  a  slight  against 
either  John  or  the  course  itself.  After  all, 
which  would  you  rather  have  in  your  cor¬ 
ner:  a  highly  trained  martial  artist  or  a 
mischievous  8-year-old?  But  for  me,  this 
was  perhaps  the  most  thought-provoking 
course  that  I’ve  had  the  luxury  of  attending 
in  my  i6  or  so  years  in  technology. 

We’ve  all  been  taught  that  a  weakness  in 
antivirus  software  and  intrusion-detection 
systems  (IDS)  is  their  dependence  on  sig- 
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natures.  These  signatures  mean  that  there 
must  be  an  identified  pattern  in  the  mecha¬ 
nisms  that  an  attacker  is  using  against  your 
network.  This  reliance  on  signatures  leaves 
us  blind  to  unique  attacks.  If  the  bad  guys 
are  bashing  in  your  front  door  in  a  new  and 
novel  way,  you  won’t  even  know  about  it 
until  they  get  in.  We  know  this  is  a  weak¬ 
ness  and  that  our  failure  to  look  for  unique 
attacks  leaves  us  vulnerable  to  one-off 
attacks. 

We  know  this,  yet  when  we  architect  our 
layered  security,  we  all  do  the  same  thing. 
We  are  all  using  a  firewall,  intrusion-pro¬ 
tection  systems,  IDS,  antivirus,  and  so  on. 
We’re  aU  using  them  the  same  way,  yet  we’re 
shocked  when  someone  bypasses  them.  We 
know  that  we  need  to  look  for  novelty  in 
attacks,  yet  we  don’t  rely  on  novelty  in  our 
defenses.  We’re  relying  on  boilerplate  tech¬ 
nology  configured  in  boilerplate  ways. 

Strand’s  course,  for  me,  was  a  wake- 
up  call.  I  realized  that  I  had  fallen  victim 
to  vendor  speak,  expecting  that  since  I 
was  writing  big  checks  for  the  latest  and 
greatest  security  technologies  and  using 
industry-standard  controls,  my  networks 
would  be  safe.  I’d  sworn  nearly  a  decade 
ago  that  I  would  never  get  that  complacent. 


For  me.  Offensive  Counter¬ 
measures  was  more  valu¬ 
able  than  the  tricks  and 
tips  in  the  courseware;  it 
was  and  remains  a  catalyst 
for  rethinking  how  I  defend 
that  which  I’m  responsible 
for  protecting.  Don’t  get  me 
wrong,  I  got  a  lot  of  value 
from  courseware.  In  fact. 
I’m  working  on  implement¬ 
ing  a  few  of  the  items  discussed  in  class.  It’s 
just  that  the  moment  I  realized  how  com¬ 
placent  I  had  become  was  such  a  slap  in  the 
face  that  I  can’t  place  a  value  on  it. 

So  what  is  my  takeaway  from  John’s 
class?  Aside  from  the  concrete  things 
offered  in  the  courseware.  I’m  going  to  look 
at  how  I  defend  my  network  as  if  I’m  a  mis¬ 
chievous  8-year-old.  I  will  find  a  way  to  piss 
off  the  attackers,  slow  down  their  advances, 
send  them  on  some  wild  goose  chases  and 
find  out  as  much  as  I  can  about  them  in 
the  process.  I’ll  find  a  way  to  set  traps  and 
alarms,  and  if  I  can  swing  a  paint  can  from  a 
banister.  I’ll  do  that  too.  I  plan  to  spend  a  lot 
of  time  looking  at  the  tools  that  I  have  and 
finding  ways  to  use  them  in  ways  unique  to 
my  environment  so  that  the  bad  guys  won’t 
be  able  to  follow  a  standard  script  to  get  in. 
I  vow  not  to  make  my  network  a  signature 
or  cookie  cutter  of  every  other  production 
network  out  there.  I  think  the  message  that 
Offensive  Countermeasures  offers  is  some¬ 
thing  that  each  of  us  can  take  to  heart  and 
apply  to  our  own  defensive  measures:  If 
you  choose  to  ignore  John’s  advice.  I’m  sure 
I’ll  be  reading  about  you  in  the  newspaper 
soon. 

—Chad  McDonald 
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PHISHING 

RSA  Spearphish 
Attack  May  Have 
Hit  U.S.  Defense 
Organizations 


One  attack  file  was  created  using  a 
Chinese-ianguage  version  of  Excel 


The  hackers  who  in  March  broke  into  RSA,  the  secu¬ 
rity  division  of  EMC,  used  the  same  attack  code  to 
try  to  break  into  several  other  companies,  includ¬ 
ing  two  national  security  organizations,  according 
to  data  provided  by  the  malware  analysis  site  VirusTotal. 

“According  to  our  data,  RSA  was  just  one  of  the  targets,"  Bernardo 
Quintero,  the  founder  of  VirusTotal,  said  in  an  email  interview.  Attackers 
“used  the  same  malware  to  try  to  penetrate  other  networks." 

VirusTotal  is  a  popular  site  with  security  professionals,  who  use  it 
to  get  a  quick  industry  consensus  on  suspicious  files.  It  runs  any  file 
through  a  battery  of  antivirus-scanning  engines  and  spits  out  a  report 
within  minutes.  Someone  at  EMC  used  the  service  on  March  19  to  ana¬ 
lyze  an  email  message  that  contained  the  spearphishing  attack  that  was 
used  to  break  into  RSA. 

But  according  to  Quintero,  before  the  attack  was  publicly  disclosed 
in  mid-March,  the  same  maliciously  encoded  Excel  spreadsheet  had 
already  been  uploaded  to  VirusTotal  16  times  by  15  sources. 

The  file  was  first  uploaded  on  March  4-the  day  after  the  phish¬ 
ing  message  was  sent  to  RSA-and  the  malware  wasn’t 
detected  by  any  of  the  site’s  42  antivirus  engines. 

Because  it  relies  on  anonymous  submissions,  Virus- 
Total  won’t  say  who  uploaded  the  documents.  But  accord¬ 
ing  to  Quintero’s  analysis,  two  of  the  targets  were  entities 
related  to  U.S.  national  security. 

Buried  in  the  metadata  of  the  attack  files  is  another 
clue,  a  sign  that  whoever  created  the  attack  used  a  Chinese-ianguage 
version  of  Excel;  The  file  was  created  using  Windows  Simplified  Chinese. 
The  attackers  could  have  deliberately  changed  the  file’s  settings  to  make 
it  look  like  it  came  from  China,  but  Quintero  believes  it  was  a  simple 


oversight  on  the  part  of  the  hackers. 

It  would  be  natural  for  the  person  who  wrote  the  RSA  attack 
code  to  try  to  use  it  as  much  as  possible  before  it  was  discovered  and 
patched.  Here  the  code  was  embedded  in  Excel  documents,  but  the  flaw 
it  exploited  when  the  documents  were  opened  actually  lay  in  Adobe’s 
Flash  Player. 

Adobe  learned  of  the  issue  on  March  9,  when  a  “partner  in  the 
security  community”  noticed  the  attack  code  at  an  undisclosed  cus¬ 
tomer  site,  says  Wiebke  Lips,  an  Adobe  spokeswoman.  Before  Adobe 
released  its  first  advisory,  a  second  customer-not  RSA-also  reported 
the  attack.  Lips  said. 

The  RSA  hackers  broke  in  using  a  basic  social  engineering  attack. 
They  sent  an  email  that  looked  like  it  came  from  an  RSA  partner, 
online  recruiting  firm  Beyond.com,  with  the  simple  mes¬ 
sage,  “I  forward  this  file  to  you  for  review.  Please  open 
and  view  it.”  That  file  was  named  “2011  Recruitment  plan, 
xls."  Quintero  says  the  hackers  also  used  a  second  file 
name,  “survey-questions_2011.xls.’’ 

In  a  post  written  shortly  after  the  Adobe  flaw  was  first 
disclosed,  the  Contagio  Malware  Dump  blog  listed  four 
Excel  files  that  were  being  used  in  attacks,  including  a  “Nuclear  Radia¬ 
tion  Exposure  and  Vulnerability  Matrix.xls”  file  that  was  doctored  to 
look  as  though  it  came  from  the  Nuclear  Regulatory  Commission. 

(continued  on  next  page) 
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(continued  from  previous  page) 

It’s  not  clear  who  the  mes¬ 
sage  containing  the  malicious 
file  was  addressed  to,  but  in  the 
March  17  spearphishing  email 
that  the  Contagio  blog  also  pub¬ 
lished,  the  attackers  seem  to  be 
going  after  someone  who  would 
have  taken  an  interest  in  the 
recent  Japan  earthquake. 

Headed  by  the  subject  line 
“Japan  Nuclear  Radiation  Leakage 
and  Vulnerability  Analysis,”  the 
email  says,  “The  team  has  poured 
in  heart  and  full  dedication  into 
this.  Would  be  grateful  if  you 
appreciate  it.” 

VirusTotal’s  findings  offer 
clues  but  no  answers  to  the 
questions  raised  by  the  attack  on 
R5A,  which  was  ultimately  seen 
as  a  stepping  stone  to  further 
attacks  on  defense  contrac¬ 
tors  Lockheed  Martin,  L-3  and 
Northrop  Grumman. 

It’s  possible  that  the  hackers 
who  developed  the  attack  used 
on  RSA  shopped  their  attack 
code  around  to  other  groups 
with  other  goals.  Once  hackers 
discover  a  previously  unknown 
zero-day  flaw,  there’s  a  lot  of 
pressure  to  exploit  it  as  much  as 
possible  before  it  is  made  public 
and  then  patched,  says  Alex 
Stamos,  a  founder  of  NCC  Group’s 
iSec  Partners. 

So  it’s  not  at  all  shocking 
that  other  companies  were 
targeted  with  the  same  attack 
code,  he  says. 

McAfee’s  research  shows  that 
other  defense  organizations  were 
targeted  by  the  attack,  although 
not  necessarily  at  the  same  time 
as  the  RSA  incident,  says  Dmitri 
Alperovitch,  McAfee’s  vice  presi¬ 
dent  of  threat  research. 

“After  that  vulnerability 
became  known,  a  lot  of  people 
started  leveraging  it,  and  that 
continued  through  April,”  he 
explains. 

-Robert  McMillan 


PRIVACY 

Are  Web  Paths  Personal 
Data,  Legally  Speaking? 

The  behavioral  advertising  industry  says  no,  but  a  consumer-advocacy 
group  is  petitioning  lawmakers  not  to  accept  this  argument 

A  leading  international  consumer  group  has  called  on  the  U.S.  Federal  Trade  Commission  and 
the  European  Union’s  main  body  for  data  protection,  the  Article  29  Working  Group,  to  reject 
requests  that  behavioral  advertising  companies-online  advertisers  that  track  users  to 
serve  up  personalized  ads-be  allowed  to  regulate  themselves. 

In  a  letter  to  lawmakers,  the  Transatlantic  Consumer  Dialogue  (TACD)  group  said  it  was  deeply 
concerned  about  the  EU  position  on  how  Internet  users  are  tracked  online  and  how  their  data  can 
be  sold  on  to  advertisers. 

The  group,  which  represents  Internet  users’  interests,  is  alarmed  at  moves  by  the  advertising 
industry  to  have  Internet  users’  Web  paths  defined  as  “non-personal  data.” 

“The  EU  should  not  accept  the  advertising  industry’s  attempts  to  redefine  people’s  Internet 
usage  as  ‘non-personal  data.’  It’s  certainly  personal,  and  a  clear  line  should  be  drawn  as  this 
billion-dollar  industry  is  now  the  currency  of  the  Digital  Age,”  says  Monique  Goyens,  director 
general  of  the  BEUC,  a  European  consumer-advocacy  organization. 

The  self-regulation  system  uses  an  icon  to  provide  notice  of  data-col lection  practices,  but 
TACD  says  that  research  shows  very  few  users  ever  click  on  it. 

“The  current  icon  program  gives  a  false  impression  of  fairness,”  Goyens  says. 

Julian  Knott,  coordinator  of  the  TACD  secretariat,  said  in  a  letter,  “The  icon  is  the  foundation 
of  what’s  supposed  to  be  a  robust  program  of  ‘best’  practices  that  can  effectively  empower  users 
to  make  critical  choices  about  their  online  privacy.  Consumers  who  may  click  on  the  icon  are 
initially  dissuaded  from  taking  appropriate  measures  to  safeguard  their  privacy,  as  they  confront 
an  array  of  information  that  online  profiling  is  primarily  about  providing  them  with  ‘appropriate’ 

advertising,  is  non-personal  and  supports 
their  access  to  a  ‘free’  Internet.” 

“Linder  both  the  EU  and  U.S.  self-regu¬ 
latory  regimes,  sensitive  data,  such  as  that 
involving  consumers’  health  or  finances,  can 
be  collected  without  ensuring  that  they  have 
real  opportunities  to  proactively  protect  how 
such  information  is  used,”  Knott  said. 

Behavioral  advertising  collects  informa¬ 
tion  primarily  by  using  cookies,  tiny  pieces 
of  code  installed  on  the  user’s  computer  to 
remember  preferences  relating  to  a  particu¬ 
lar  website. 

The  law  governing  cookies  in  the  EU  is  the 
revised  ePrivacy  Directive,  which  became 
law  in  May  and  requires  companies  to  obtain 
explicit  consent  from  Web  users  before  tag¬ 
ging  them  with  cookies. 

However,  the  vast  majority  of  EU  member 
states  failed  to  implement  the  law,  citing 
confusion  about  how  to  define  “explicit 
consent.” 

The  European  Commission  recently 
started  legal  action  against  the  20  countries 
that  failed  to  implement  the  new  rules. 

-Jennifer  Baker 
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Security:  A  Transformational 
Approach  to  Combating 
Cyber  Threats 


As  new  security  threats  appear,  CIOs  are 
increasingly  challenged  with  keeping  their 
organizations  safe  from  cyber  attacks.  Find 
out  from  HP’s  enterprise  security  lead  how  to 
get  out  from  behind  tlie  eight  ball. 

HOW  are  evolving  IT  environments— 
mobility,  IT  consumerization,  virtualiza¬ 
tion,  cloud  computing— Impacting  today's 
security  landscape? 

Major  transitions  in  IT  inevitably  lead  to 
opportunities  for  cyber  criminals.  We’re  now 
seeing  the  use  of  cloud  computing,  mobility 
and  social  media  greatly  expand  the  threat 
surface  for  organizations  to  defend,  especial¬ 
ly  against  attacks  that  target  users  and  Web 
applications.  All  of  these  technology  trends 
provide  valuable  benefits,  but  organizations 
need  to  think  about  new  security  controls  to 
offset  the  associated  risks. 

Are  companies  who  don't  take  a  proactive 
approach  to  neutralizing  potential  security 
risks  In  danger  of  being  left  behind,  or 
worse,  attacked  more  easily? 

We  think  security  needs  to  move  from  a 
defensive  position  to  a  more  proactive, 
risk-management  approach.  This  includes 
identifying  critical  IT  services  that  support 
sensitive  data  and  understanding  where 
the  vulnerabilities  lie  within  each  of  those 
systems  and  applications.  It’s  more  effective 
for  enterprises  to  anticipate,  close  up,  and 
protect  vulnerabilities  in  advance  rather  than 
locking  systems  down  and  reacting  after  a 
breach  has  occurred. 

What  do  your  research  groups  tell  you  are 
the  newest  wave  of  security  threats  fac¬ 
ing  enterprises  today? 

Cyber  threats  have  become  more  sophisti¬ 
cated,  persistent  and  unpredictable.  New 
research  commissioned  by  HP  found  that 
the  volume,  cost  and  complexity  of  secu¬ 
rity  threats  have  continued  to  escalate.  One 
recent  survey  found  more  than  50  percent 


of  executives  believe  that  breaches  in  their 
organizations  have  increased,  with  another 
study  revealing  that  the  cost  of  cyber  crime 
has  risen  56  percent  per  organization  on  an 
annual  basis.  While  there  is  increased  aware¬ 
ness,  cyber-criminals  continue  to  find  more 
surface  vectors  and  increased  opportunities 
for  attacks. 

Will  the  point  products  that  handle  secu¬ 
rity  breaches  today  become  ineffective  in 
mitigating  the  types  of  security  threats 
we'll  be  seeing  in  the  future? 

There  are  thousands  of  security  vendors 
with  very  good  point  products;  however, 
the  information  generated  by  a  single 
security  product  does  not  provide  a  com¬ 
plete  picture.  Information  security  teams 
must  deliver  actionable  intelligence  to  their 
organizations  to  minimize  risk  through  the 
correlation  of  not  only  security  information, 
but  also  the  functions  of  security  technolo¬ 
gies.  Unless  the  right  data  can  be  brought 
together  intelligently  and  security  products 
can  work  together  intelligently,  we'll  con¬ 
tinue  to  be  oh  our  back  foot  when  it  comes 
to  fighting  cyber  crime. 

Explain  for  us  how  HP's  new  security 
ecosystem  can  provide  diverse  enterprise 
security  coverage. 

To  help  organizations  manage  the  risk  and 
compliance  demands  associated  with  escalat¬ 
ing  IT  complexity  and  security  threats,  HP 
has  established  a  foundation  for  a  unified 
approach  to  enterprise  security.  The  HP 
Security  Intelligence  and  Risk  Management 
(SIRM)  platform  offers  advanced  correlation, 
application  protection,  and  network  defense 
technology  to  protect  applications  and  IT 
infrastructures  from  sophisticated  cyber 
threats.  Supported  by  an  expansive  network 
of  partners,  the  platform  helps  to  remove  risk 
from  existing  infrastructures  and  establishes 
a  framework  for  deploying  future  systems 
within  a  more  secure  environment. 
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SALTED  HASH 


SALTED  HASH 

Security  Horror  Show 

PEOPLE  LOVE  to  complain  about  the  TSA  and  the  body  scans  they  now 
suffer  through  during  airport  security  screenings.  We  know  that— mis¬ 
guided  or  not— the  goal  is  to  stop  terrorists  from  hijacking  planes. 

But  if  you  stop  a  middle-aged  woman  and  tell  her  she  can’t  enter  the 
United  States  because  the  cops  went  to  her  home  after  an  attempted  sui¬ 
cide  years  ago  and  that  makes  her  a  security  risk,  well...  What  is  there  to 
say?  It’s  painfully  obvious  that  some  in  airport  security  are  sitting  on  their 
brains. 

It’s  reasonable  to  argue  that  body  scans  and  enhanced  pat-downs  are 
over  the  line.  But  denying  people  entry  to  the  country  because  of  incidents 
like  this  just  goes  to  show  how  flawed  this  system  is. 

Security  experts  have  a  name  for  measures  that  amount  to  window 
dressing:  security  theater.  I  call  this  a  security  horror  show. 

Here’s  an  excerpt  from  the  CBC  News  article  that  set  me  off: 

“More  than  a  dozen  Canadians  have  told  the  Psychiatric  Patient  Advo¬ 
cate  Office  in  Toronto  within  the  past  year  that  they  were  blocked  from 
entering  the  United  States  after  their  records  of  mental  illness  were  shared 
with  the  U.S.  Department  of  Homeland  Security. 

“Lois  Kamenitz,  6S,  of  Toronto,  contacted  the  office  last  fall,  after  U.S. 
customs  officials  at  Pearson  International  Airport  prevented  her  from 
boarding  a  flight  to  Los  Angeles  on  the  basis  of  her  suicide  attempt  four 
years  earlier. 

“Kamenitz  says  she  was  stopped  at  customs  after  showing  her  passport 

and  asked  to  go  to  a  secondary 
screening. 

“There,  a  Customs  and 
Border  Protection  officer  told 
Kamenitz  that  he  had  informa¬ 
tion  that  police  had  been  to  her 
home  in  2006. 

“T  was  really  perturbed,’ 
Kamenitz  says.  T  couldn’t 
figure  out  what  he  meant.  And 
then  it  dawned  on  me  that  he 
was  referring  to  the  911  call  my  partner  made  when  I  attempted  suicide.’ 

“Kamenitz  says  she  asked  the  officer  how  he  had  obtained  her  medical 
records. 

‘“That  was  the  only  thing  I  could  think  of,’  she  says.  ‘But  he  said,  no,  he 
didn’t  have  my  medical  records  but  he  did  have  a  contact  note  from  the 
police  that  [they]  had  attended  my  home.’ 

“Stanley  Stylianos,  program  manager  at  the  Psychiatric  Patient  Advo¬ 
cate  Office,  says  his  organization  has  heard  more  than  a  dozen  stories 
similar  to  Kamenitz’s.” 

When  the  police  visit  your  home  because  you  tried  to  kill  yourself,  it’s 
a  tragic  situation.  But  it’s  a  medical  emergency,  not  an  attempt  at  murder. 
It’s  certainly  not  an  attempted  terrorist  attack. 

If  this  doesn’t  outrage  security  professionals  and  privacy  advocates 
everywhere,  then  maybe  I  have  lost  my  touch.  A  decade  after  9/11, 1  have  to 
ask  if  this  is  really  the  best  we  can  do. 

There’s  not  much  more  to  say  about  this,  other  than  that  it’s  time 
for  DHS  to  seriously  reconsider  its 

procedures.  ■  csoonline’s  new  Salted 

There’s  a  gray,  squishy  line  between  I  Hash  blog  and  newsletter 

security  and  stupidity,  and  these  guys  I  covers  the  news  as  it 

crossed  that  line  some  time  ago.  I  happens:  Wogs.csoonHne 

—BUt  Brenner  I  xom/Mog/cso 


Security 

Wisdom 

Watch 


Thumbs  down:  9/11  anniversary 
hacks:  Hackers  used  the  9/11 
anniversary  to  create  online 
mischief,  hijacking  NBC  News’s 
Twitter  account  and  posting  bogus 
updates  about  an  attack  on  New  York. 
As  a  CNN  reporter  said  on  that  day  10 
years  ago,  “There  are  no  words.” 

Thumbs  both  ways:  Car  hacking: 
Some  vendors  are  stirring 
the  FUD  pot  with  warnings 
about  hackers  hijacking 
increasingly  computer¬ 
ized  cars.  It’s  a  bit  early  for 
this  to  be  a  real  threat.  But  as 
we’ve  seen  with  smartphone  hacking, 
theory  eventually  becomes  reality. 

Thumbs  down:  Airport  screen¬ 
ing:  Telling  a  woman  she  can’t 
enter  the  United  States  because 
the  cops  went  to  her  home  after 
an  attempted  suicide  six  years  ago 
is  not  going  to  reduce  terrorism.  So 
why  are  customs  officials  doing  it?  In 
our  view,  it’s  security  theater  gone 
horribly  wrong. 

Thumbs  up:  Social  media  in 
emergencies:  Twitter,  Facebook 
and  other  social  media  have 
proved  valuable  during  recent 
earthquakes  and  hurricanes.  If 
these  platforms  existed  on  9/11,  addi¬ 
tional  lives  might  have  been  saved. 

Thumbs  both  ways:  Sourcefire’s 
Agile  Security:  The  vendor 
is  taking  care  to  avoid 
compromising  its  Snort 
open-source  intrusion- 
detection  system  while  it 
expands  its  portfolio.  This  as  a 
big  relief,  as  many  organizations  rely 
on  Snort.  Merging  new  technology 
with  old  can  be  problematic,  but  it’s 
so  far,  so  good  during  Sourcefire’s 
recent  steady  expansion.  -B.B. 
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INTRODUCING  MORE 
THAN  JUST  A  LITTLE  RISK 
TO  YOUR  BUSINESS? 


HP  Enterprise  Security  has  what 
you  need  to  secure  your  applications, 
information  and  operations.  Backed  by 
our  unparalleled  security  research  team, 
we  can  help  you  protect  your  enterprise 
and  identify  risks  before  you  even  know 
they  exist. 


For  more  information  go  to 
www.hpenterprisesecurity.com. 


CYBER  THREATS. 
MOBILITY.  CLOUD. 
SOCIAL  MEDIA. 
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>>  BRIEFING 


DATA  BREACH 

HOSPITAL  INVESTIGATES 
MASSIVE  PATIENT  DATA  LEAK 

Confidential  medical  data  of  up  to  20,000  patients  may  have  been  compromised 


Stanford  University  Hospital  in  Palo  Alto,  Calif.,  is  investi¬ 
gating  how  a  spreadsheet  containing  personal  medical 
data  on  20,000  patients  ended  up  being  publicly  available 
for  nearly  a  year  on  a  homework  help  site  for  students. 
The  spreadsheet  first  became  available  on  the  site  in  Sep¬ 
tember  of  last  year  as  an  attachment  to  a  question  supposedly 
posed  by  a  student  on  Student  of  Fortune, 
a  website  that  lets  students  solicit  help 
with  their  homework  for  a  fee.  The  poster 
asked  how  the  medical  data  in  the  attach¬ 
ment  could  be  presented  as  a  bar  graph. 

The  spreadsheet  was  being  handled 
by  one  of  the  hospital’s  billing  contractors 
and  contained  names,  diagnosis  codes, 
account  numbers,  and  admission  and 
discharge  dates  for  about  20,000  patients 
who  visited  the  emergency  room  at  the 
hospital  in  2009.  No  Social  Security  num¬ 
bers,  addresses,  birth  dates,  or  credit  card 
details  were  compromised  in  the  breach. 

Even  so,  Stanford  has  agreed  to  pay  for 
identity  theft  monitoring  services  for  the  victims. 

The  hospital  learned  about  the  spreadsheet  in  August, 
when  a  patient  noticed  it  on  the  Student  of  Fortune  website 
and  informed  the  hospital  about  it.  The  spreadsheet  was  taken 
down  immediately  after. 

Stanford  has  since  suspended  its  relationship  with  the 
billing  contractor  and  has  asked  it  to  either  destroy  or  securely 


return  all  data  about  Stanford  patients  that  it  has  in  its  pos¬ 
session,  the  New  York  Times  quoted  a  hospital  spokesman  as 
saying.  The  spreadsheet  had  been  prepared  by  the  contractor 
as  part  of  a  billing  analysis  for  the  hospital. 

Student  of  Fortune  did  not  immediately  respond  to  a 
request  for  comment  on  the  incident.  But  a  spokeswoman  for 
the  homework-help  site  is  quoted  in  the 
New  York  Times  as  saying  that  the  site 
had  been  unaware  of  the  data  until  it  was 
informed  about  it  by  the  hospital,  at  which 
time  it  promptly  took  the  information 
down.  The  spokeswoman  says  the  identity 
of  the  poster  cannot  be  determined. 

This  is  the  second  time  in  less  than  two 
years  that  Stanford  has  been  in  the  news 
over  a  data  breach.  In  January  2010,  an 
employee  stole  a  computer  containing 
protected  the  health  information  of  532 
patients  from  the  hospital’s  heart  center. 

The  breach  resulted  in  the  hospital 
getting  hit  with  a  stiff  $250,000  fine  by  the 
California  Department  of  Public  Health  for  its  alleged  failure  to 
notify  affected  victims  of  the  breach  as  soon  as  was  required 
under  state  laws.  Stanford  has  appealed  the  fine,  contending 
that  it  acted  in  a  manner  consistent  with  the  state’s  data  breach 
reporting  requirements. 

The  breach  shows  yet  again  how  ineffective  HIPAA  has  been 
in  getting  organizations  that  handle  healthcare  data  to  take 

better  care  of  it,  says  Deborah  Peel,  founder  and  chair¬ 
man  of  the  Patient  Privacy  Rights  Foundation. 

Much  of  the  problem  stems  from  the  indiscrimi¬ 
nate  sharing  of  sensitive  personal  information  among 
‘legions  of  secondary  users,”  she  says. 

The  average  hospital  has  between  200  and  300  out¬ 
side  vendors  and  partners  with  access  to  patient  data. 
Peel  says.‘‘We  do  not  have  an  effective  federal  health 
privacy  law.  HIPAA  was  gutted  in  2002,  when  control 
over  who  can  see  and  use  patient  data  for  all  routine 
uses  was  eliminated,"  she  says. 

The  only  way  to  really  get  a  grip  on  the  problem 
is  to  allow  patients  to  exert  more  control  over  who 
has  access  to  their  data.  “Data  should  be  used  for  a 
single  purpose  after  the  patient  gives  consent,  such  as 
consent  to  use  the  data  to  pay  a  claim  or  send  to  a  con¬ 
sultant.  Consent  should  be  obtained  for  any  secondary 
or  new  uses  of  data,”  she  says. 

-Jaikumar  Vijayan 


“We  do  not  have 
an  effective 
federal  health 
privacy  law. 

HIPAA  was 
gutted  in  2002 

-DEBORAH  PEEL, 

FOUNDER  AND  CHAIRMAN 
OF  THE  PATIENT  PRIVACY 
RIGHTS  FOUNDATION 
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MARKET 


PULSE 
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In  the  ongoing  struggle  between  employees  who  want  to  use 
their  mobile  devices  to  access  corporate  data  and  IT  departments 
that  strive  to  secure  and  control  all  endpoints,  the  employees 
are  winning. 


As  companies  attempt  to  keep  up  with  the  pace  of 
business  today  and  compete  in  the  global  marketplace, 
employees  are  demanding  access  to  corporate  networks 
and  data  from  wherever  they  may  be,  with  whichever 
device  they're  using.  Business  units  are  putting  pres¬ 
sure  on  IT  to  comply  with  regulatory  requirements.  Now 
the  challenge  lies  in  finding  ways  to  secure  and  manage 
mobile  workers  without  interfering  with  how  they  get 
their  jobs  done. 

However,  in  a  recent  IDG  Research  Services  study  of  1 1 5 
IT  security  professionals,  59  percent  of  the  respondents 
reported  that  they  are  just  somewhat  or  not  at  all  effec¬ 
tive  at  minimizing  mobile  security  and  compliance  risks. 
Security  professionals  are  well  aware  of  the  risks:  94 
percent  of  the  respondents  believe  that  there  is  at  least  a 
moderate  amount  of  risk  inherent  in  supporting  a  mobile 
workforce,  including  unauthorized  data  sharing,  data  loss, 
and  the  introduction  of  malware  to  the  corporate  LAN. 

So  IT  departments  need  solutions  to  protect  mobile 
assets—particularly  notebooks,  which  are  still  the  most 
prevalent  mobile  computing  devices  and  often  contain 
sensitive  or  confidential  information.  Once  these  devices 
leave  the  corporate  office,  they  become  potential  threat 
vectors  that  can  lead  to  data  breaches. 

Not  only  are  mobile  devices  at  relatively  high  risk  but 
studies  also  show  that  employee  behavior  changes  when 
the  employees  aren't  in  the  office.  For  example,  employ¬ 
ees  are  35  percent  more  likely  to  violate  corporate  Web 
surfing  policies  outside  of  the  office  than  when  they  are  in 
the  office.  Also,  most  corporations  haven't  updated  their 
acceptable-use  or  compliance  policies  for  assets  used 
outside  of  the  office. 

Finding  Balance 

Cloud-based  services  are  emerging  as  effective  alterna¬ 
tives  that  help  enterprises  strike  a  balance  between 


flexibility  and  protection  without  requiring  significant 
up-front  investments  or  creating  drains  on  IT  resources. 
These  solutions  provide  data  security  for  mobile  users  in  a 
way  that  has  the  least  impact  on  corporate  networks,  can 
be  quickly  and  easily  implemented  and  can  scale  as  the 
mobile  workforce  grows. 

For  comprehensive  security  of  Windows-based  notebooks, 
Symantec  Endpoint  Protection.cloud  protects  mobile 
devices  without  having  an  impact  on  the  end  user  experi¬ 
ence  or  requiring  the  installation  of  additional  hardware 
or  management  software.  The  service  provides  advanced 
technologies  for  antivirus  and  antispyware  efforts,  fire¬ 
walls  and  host  intrusion  prevention  to  protect  notebooks, 
whether  in  the  office  or  on  the  road. 

Because  the  Web  is  a  primary  threat  vector,  Symantec  also 
offers  a  service  to  help  enterprises  implement  acceptable- 
use  policies  for  mobile  employees,  facilitating  the  same 
level  of  protection  as  for  office-based  employees.  Syman¬ 
tec  MessageLabs  Web  Security.cloud  protects  mobile 
users  from  Web-borne  threats  via  URL  filtering  and  gives 
IT  departments  control  by  monitoring  and  enforcing  Web 
acceptable-use  policies  with  minimal  latency. 

To  help  enterprises  maintain  compliance  with  regulations, 
Symantec  offers  encryption  for  laptops,  external  drives 
and  USB  flash  drives  mobile  employees  take  on  the  road. 

The  mobility  trend  will  continue  to  sweep  through  enter¬ 
prises,  but  security  doesn't  have  to  lag  behind.  Effective 
cloud-based  solutions  give  IT  professionals  a  scalable, 
cost-effective  way  to  strike  a  delicate  balance  between 
flexibility  and  control. 


For  more  information,  go  to  www.csoonline.com/ 
whitepapers/symantecmobile  and  get  a  free  down¬ 
load  of  the  full  white  paper  "Mitigating  Risk  in  a  Mobile 
World"  and  the  complete  research  results. 

Qfsymantec.  CSO 

Custom  Solutions  Group 


TACTICS 


By  Neil  Roiter 


Generation  Next 


Next-generation  firewalls  may  control  applications 
and  cost,  but  don’t  get  sucked  in  by  the  hype 


ext-generation  fire¬ 
walls,  meet  this  genera¬ 
tion’s  network  and  threat 
environment. 

Traditional  stateful 
inspection  firewalls,  with  their  port-  and 
protocol-based  controls,  have  limited  vis¬ 
ibility  into  the  contemporary  Web-based 
network  landscape.  Thanks  to  the  explosive 
popularity  of  Web  2.0,  thousands  of  Web- 
based  business  and  consumer  apps  and 
attacks  are  launched  primarily  through  the 
application  layer.  Stateful  inspection  fire¬ 
walls  cannot  distinguish  what  applications 
are  passing  via  http  and  https  over  ports  80 
and  443.  Attackers  have  become  adept  at 
using  low-and-slow  techniques  in  targeted 
attacks  that  evade  intrusion-prevention 
systems  (IPS). 

True,  next-gen  firewalls  perform  deep 
packet  inspection  to  identify  applica¬ 
tion  traffic  at  Layer  7,  performing  a  single 
inspection  pass  that  integrates  firewall, 
intrusion-prevention  and  additional  secu¬ 
rity  capabilities  in  a  single  high-perfor¬ 
mance  appliance.  Application  intelligence, 
combined  with  user  identity  information, 
provides  context  for  highly  granular  fire¬ 
wall  access  rules  that  allow  for  detection  of 
contemporary  Web-based  attacks.  Enter¬ 
prises  can  enforce  security  and  acceptable- 
use  policies  in  ways  that  make  sense  for  the 
business,  in  contrast  to  black-and-white 
policies  like  “No  one  can  use  Facebook”  or 


“We  have  to  let  everyone  use  Facebook.” 

This  is  a  fast-growing  market,  created 
when  Palo  Alto  Networks  appeared  on 
the  scene  in  2007  with  the  capabilities  and 
feature  sets  that  characterize  what  are  now 
known  as  next-gen  firewalls.  Most  other 
firewall  and  unified  threat  management 
vendors  have  introduced,  or  are  at  least 
developing,  network  security  products  that 


provide  fine-grained  application  and  user 
controls  in  integrated,  high-performance 
appliances. 

“IPS  should  have  been  combined  with 
firewall  much  sooner,”  says  Greg  Young, 
a  Gartner  research  VP.  “IPS  ballooned  up 
beyond  $1  billion  and  took  on  a  life  of  its 
own;  no  one  was  integrating.  Palo  Alto 
[Networks’  next-generation  firewalls] 
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changed  the  game,  and  incumbent  firewall 
vendors  have  been  forced  to  react  to  meet 
that  threat.” 

Next-gen  firewall  adoption  was 
between  5  percent  and  10  percent  of  total 
firewall  appliances  in  2010,  according  to  a 
joint  report  by  Infiniti  Research  and  Tech- 
Navio  Insights,  and  is  expected  to  gain 
significant  market  share  over  the  next  few 
years.  Gartner  has  predicted  that  next-gen 
firewalls  will  comprise  35  percent  of  the 
installed  firewall  base  by  the  end  of  2014 
and  will  account  for  60  percent  of  all  fire¬ 
wall  purchases. 

In  some  cases,  enterprises  are  deploy¬ 
ing  next-gen  in  front  of  their  existing  net¬ 
work  firewalls  and  IPS  to  get  the  benefits 
of  app-layer  and  user-ID  filtering  without 
a  wholesale  rip-and-replace.  In  other  cases, 
they  put  it  behind  their  firewalls  and  IPS  to 
see  what  is  getting  through. 

“They  look  at  it  as  an  adjunct,”  says  Lisa 
Phifer,  president  of  consultancy  Core  Com¬ 
petence.  “They  either  want  to  apply  extra 
granularity  or  use  next-gen  to  act  as  a  san¬ 
ity  check  if  something  goes  through  that 
wasn’t  expected.” 

But  that’s  now  the  exception,  says  Young. 
Today,  95  percent  of  next-gen  purchases  are 
firewall  replacements,  as  the  newer  tech¬ 
nology  has  proven  its  value  and  the  vendor 
selection  has  widened. 

Driving  the  Market: 
Consolidation  and 
Cost  Come  First 

Application-based  controls  and  security 
provide  the  flash  and  the  coolness  factor, 
but  the  business  case  most  often  relies 
on  the  savings  and  reduced  management 
overhead  that  come  with  consolidating  sev¬ 
eral  security  products  into  an  integrated 
platform  that  meets  the  needs  of  highly 
demanding  enterprise  networks. 

“It  became  apparent  that  we  could  con¬ 
solidate  a  lot  of  the  technologies  we  were 
looking  at,”  says  David  Rahbany,  director  of 
enterprise  IT  infrastructure  at  Hain  Celes¬ 
tial  Group.  Hain  purchased  and  deployed 
Fortinet  next-gen  appliances  when  it  con¬ 
solidated  connectivity  among  its  distrib¬ 
uted  sites  and  corporate  data  centers  from 
Internet-based  VPN  to  a  multiprotocol 
label  switching  (MPLS)  network. 

“The  driver  was  really  the  costs  associ¬ 
ated  with  the  MPLS  deployment.  “We  could 


focus  our  gateway  security  perimeter  on  a 
handful  of  sites,  for  which  next-generation 
products  better  suited  our  needs.”  Rahbany 
also  cited  better  management  control  for  a 
relatively  small  IT  staff. 

The  end  of  a  normal  refresh  cycle  for 
perimeter  devices  is  a  logical  time  to  look  at 
replacement,  but  a  case  can  be  made  for  off- 
cycle  next-gen  deployment  if  the  savings 
and  benefits  are  compelling.  For  example, 
24- Hour  Fitness,  a  Palo  Alto  Networks 
customer,  had  a  year  left  in  the  deprecia¬ 
tion  write-off  for  its  existing  firewalls,  but 
found  that  the  savings  in  purchasing  sooner 
rather  than  later  more  than  offset  the  lost 
depreciation. 


“It  was  smarter  to  combine  everything— 
firewall,  malware  detection,  Web  filtering, 
threat  management— at  a  lower  cost,”  says 
Jason  Kwong,  director  of  IT  operations  and 
security.  “The  justification  wasn’t  hard.” 

But  although  consolidation  and  cost 
savings  are  paramount,  application  aware¬ 
ness  and  control  (what  Gartner’s  Young 
calls  the  “sizzle”)  are  a  key  driver  as  well, 
next-gen  appliances  enable  enterprises 
to  create  policies  and  rules  that  reflect  the 
modern  Web-based  IT  business  environ¬ 
ment,  including  the  growing  use  of  Web  2.0 
for  both  business  and  personal  use.  Just  as 
significantly,  the  technology  can  be  used 
to  monitor  and  enforce  compliance  with 
these  policies.  It  also  provides  the  ability 
to  identify  thousands  of  individual  appli¬ 
cations  and  establish  rules  governing  not 
only  which  are  allowed,  but  under  what 
circumstances  and  by  whom. 

So,  for  example,  peer-to-peer  applica¬ 
tions  might  be  prohibited,  but  Skype  might 
be  authorized  for  users  who  have  a  legiti¬ 
mate  business  need  for  it.  All  users  might 
be  allowed  to  use  Facebook  to  network  but 
might  be  blocked  from  accessing  the  site’s 
applications. 

From  a  security  perspective,  next-gen 


appliances  provide  much  stronger  filter¬ 
ing  and  threat  detection  than  the  combi¬ 
nation  of  traditional  firewalls,  standalone 
IPS  and  other  security  products,  such  as 
URL  filtering.  If  the  appliance  is  perform¬ 
ing  deep  packet  inspection  on  the  firewall, 
it  can  more  effectively  reduce  the  traffic 
to  authorized  applications  and  users,  and 
simplify  detection  of  potential  attacks  by 
focusing  on  what  still  gets  through.  The 
single-pass  inspection  up  front  allows  the 
product  to  correlate  and  analyze  various 
security  engines. 

“In  many  ways,  this  is  a  call  for  a  better 
IPS  that’s  aware  of  protocols  and  applica¬ 
tions,”  says  Rick  Moy,  president  and  CEO  of 


NSS  Labs.  “Now  it’s  imperative  for  the  fire¬ 
wall  to  know  more  about  the  applications 
because  it  has  to  work  in  conjunction  with 
IPS  to  provide  context  for  IPS  to  do  its  job.” 

For  example,  Moy  says,  the  firewall  can 
tell  the  IPS  module  that  the  application 
being  used  is  Skype,  and  the  IPS  can  focus 
on  detecting  known  Skype  attacks  rather 
than  applying  all  of  its  thousands  of  signa¬ 
tures  to  every  packet. 

“The  flip  side  to  enablement  is  whether 
I  can  limit  the  number  of  applications  that 
can  penetrate  the  network,  thereby  con¬ 
trolling  avenues  of  attack,”  says  Chris  King, 
Palo  Alto  Networks  director  of  product 
marketing. 

This  integrated  approach  makes  it  eas¬ 
ier  to  track  the  source  of  a  potential  security 
event  than  with  separate  appliances,  and 
effectively  reduces  the  false  positives  and 
false  negatives  associated  with  IPS. 

“We’ve  mitigated  risk  in  providing 
access  to  those  applications  and  gained 
better  insight  into  who’s  using  what  and 
how,”  says  24-Hour  Fitness’  Rahbany. 
“We  have  management  oversight  that  we 
lacked.  We’re  in  a  better  position  to  antici¬ 
pate  threats  and  manage  bandwidth  and 
applications.” 


Next-gen  firewall  adoption  was  between 

5  percent  and  lO  percent  of  total 
firewall  appliances  in  2010,  and  is 

expected  to  gain  significant  market  share 
over  the  next  few  years. 
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>>  TOOLBOX 


Evaluating  Next-Gen 
Tools:  What  to  Look  For 

Next-gen  firewalls  are  complex  products, 
and  vendors  claim  an  impressive  array 
of  capabilities.  Determining  how  well  an 
appliance  meets  your  needs  requires  under¬ 
standing  your  enterprise’s  requirements, 
and  a  lot  of  research  and  testing. 

Look  under  the  hood.  All  vendors  will 
claim  to  have  a  special  sauce  for  doing  that 
voodoo  that  they  say  they  do  so  well,  but 
next-gen  requires  sophisticated  software 
and  hardware  engineering  that  didn’t  exist 
until  a  few  years  ago.  Hold  the  vendor’s  feet 
to  the  fire  to  get  them  to  explain  their  soft¬ 
ware  and  hardware  architecture  and  how 
it  accomplishes  the  required  processing, 
inspection,  correlation  and  analysis.  Con¬ 
sult  third-party  reviews  and  analysis  as 
well.  Questions  to  ask  include: 

■  Is  there  actually  only  one  inspection 
pass  being  leveraged  by  the  various 
engines  in  the  box? 

■  Is  inspection  taking  place  on  the  fire¬ 
wall,  where  it  can  effectively  pre-filter 
traffic  and  provide  context  for  IPS  and 
other  integrated  tools? 

■  Are  the  firewall  and  IPS  truly  inte¬ 
grated,  or  simply  packed  in  the  same 
box? 

■  Does  the  product  run  on  standard 
hardware  or  as  a  dedicated  appU- 
ance?  The  general  trend  in  IT  has  been 
toward  use  of  standard  hardware,  but 
next-gen  requires  purpose-built  appli¬ 
ances  that  can  meet  its  demands  in  an 
enterprise  environment. 

■  Have  they  built  truly  new  products  or 
just  adapted  existing  firewall  and  IPS 
technology?  Most  vendors,  with  the 
exception  of  Palo  Alto,  have  existing 
firewall  and  IPS  engines,  and  are  now 
trying  to  integrate  application  control 
and  other  features  with  the  tools  they 
already  have,  says  Young.  “They’re  not 
completely  integrated,  so  they  have 
this  hair-pinning  of  traffic  between 
modules,”  he  says.  “This  is  highly 
inefficient.” 

Check  its  performance.  All  this  capabil¬ 
ity  comes  at  a  price.  Unlike  traditional  net¬ 
work  firewalls,  a  next-gen  appliances  (like 
standalone  IPS)  is  a  “bump  in  the  wire”  that 
can  clog  the  flow  of  production  traffic.  Con¬ 
nections  per  second— throughput  with  all 
the  security  features  turned  on— must  be 


carefully  evaluated  and  tested  in  as  close 
to  a  real-world  production  environment  as 
possible. 

One  issue  in  particular  to  address 
with  your  vendor  and  in  testing  is  how  the 
next-gen  firewall  handles  encrypted  traffic. 
Can  the  firewall  intercept,  decrypt  and  re¬ 
encrypt  SSL/TLS,  SSH  and  VPN  traffic,  and, 
if  it  does,  at  what  cost  to  performance? 

Determine  realistic  requirements  for 
your  production  environments  and  test 
accordingly.  Where  and  how  you  use  the 
next-gen  firewall  is  a  strong  factor  to  con¬ 
sider  in  assessing  performance.  Financial 
transactions,  stock  trading,  and  so  on,  are 
extremely  performance-sensitive.  Weigh 
the  criticality  of  the  assets  and  systems  you 
are  protecting  when  creating  appropri¬ 
ate  rule  sets  and  deciding  which  security 


not,  there  are  third-party  testing  providers, 
many  of  whom  make  use  of  these  tools. 

“Pilot  the  heck  out  of  it,”  says  Kwong. 
“I’ve  dealt  with  many  firewalls,  and  out-of- 
box  we  needed  to  tune  a  lot  of  parameters 
before  we  got  to  the  right  performance 
level.  From  my  experience  with  previous 
firewalls.  I’ve  always  found  performance 
didn’t  quite  match  the  claims.” 

Be  realistic  about  application  control. 
Before  you  are  blown  away  by  a  vendor’s 
assertion  that  they  have  so  many  thou¬ 
sand  applications  in  their  library,  consider 
your  application  policies  and  practices. 
Learn  which  applications  your  company’s 
employees  are  using  for  legitimate  business 
purposes,  which  are  likely  to  be  used  in  the 
future,  who  is  using  them  and  how  are  they 
being  used.  Armed  with  this  information. 


All  vendors  will  claim  to  have  a  special  sauce 
for  doing  that  voodoo  that  they  say 
they  do  so  well,  but  next-gen  requires 
sophisticated  software  and 
hardware  engineering  that  didn’t 
exist  until  a  few  years  ago. 


ser\dces  to  enable.  For  example,  says  NSS 
Labs’  Moy,  unified  threat  management 
(UTM)  performance  typically  drops  by  6o 
percent  from  loGbps  to  3  or  qGbps  when 
IPS  is  enabled,  and  there  is  an  even  more 
drastic  reduction,  to  300  to  400Mbps,  when 
antivirus  capabilities  are  turned  on. 

“I’d  be  skeptical  about  turning  on  [anti¬ 
virus]  on  the  firewall,”  he  says.  “In  front  of 
the  data  center,  probably  not,  but  maybe  at 
the  perimeter.” 

More  and  more  complex  rules  will  also 
affect  performance,  so  factor  that  into  your 
testing. 

“The  deeper  the  policies,  the  more  you 
feel  an  impact,”  says  Core  Competence’s 
Phifer.  “As  you  layer  on  additional  checks, 
it  is  going  to  get  slower  and  slower.” 

There  are  a  number  of  high-end  prod¬ 
ucts  on  the  market  that  perform  load  and 
security  testing.  These  are  expensive,  but 
worth  investing  in  if  you  are  going  to  be 
doing  a  lot  of  network  equipment  and  net¬ 
work  security  product  testing  in-house.  If 


you  can  create  security  and  appropriate- 
use  poHcies  and  evaluate  next-gen  firewall 
products  on  their  ability  to  monitor  and 
enforce  policy  around  these  apps. 

“Vendors  claiming  large  numbers  of 
applications  is  kind  of  meaningless,-  the 
numbers  are  not  important,”  says  Gart¬ 
ner’s  Young.  He  recommends  that  once  you 
decide  which  applications  you  want  to  deal 
with,  you  make  sure  they  are  in  the  library, 
find  out  whether  they  produce  false  nega¬ 
tives  or  positives,  and  run  them  through  a 
configuration  exercise. 

“If  you  want  to  block  Mafia  Wars  or 
allow  Facebook  for  sales  and  market¬ 
ing,  how  difficult  is  the  task,  and  does  the 
workflow  it  produces  make  sense?”  he  says. 
Configuring  an  application  should  be  easy, 
and  should  be  done  using  a  wizard-like, 
hierarchical  interface. 

Young  also  suggests  testing  a  topical 
application  that’s  known  to  be  malicious  or 
cause  problems  on  networks  and  see  if  the 
appliance  catches  it. 
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Make  sure  ft's  easy  to  manage.  Next- 
gen  firewalls  are  a  different  experience 
from  managing  traditional  firewalls  and 
standalone  IPS,  so  it  is  critical  that  the 
management  interface  make  the  transition 
as  seamless  as  possible.  On  one  hand,  the 
ability  to  define  very  specific,  context-based 
rules  for  applications  and  users  introduces 
a  new  level  of  complexity.  On  the  other 
hand,  the  rules  can  be  more  sharply  defined, 
so  it’s  easier  to  get  exactly  what  you  intend 
without  ambiguity  or  layers  of  rules. 

“You  can  use  that  granularity  and  power, 
but  in  a  way  that  becomes  more  manage¬ 
able,”  says  Phifer.  “But  it  will  still  be  harder 
than  before;  it’s  part  of  the  pain  of  gaining 
that  extra  level  of  control.” 

It’s  important  that  the  management 
interface  and  rule  creation  be  as  intuitive 
as  possible  and  reflect  the  integration  of  the 
components’  capabilities. 

“The  ability  to  centrally  manage  and 
distribute  policy  was  a  criterion,”  says  Rah- 
bany.  “The  firewall  rule  set  is  very  intuitive 
and  familiar.  “There  was  some  discrepancy 
between  centralized  management  tools  and 
the  UI  at  the  firewalls  themselves.” 

Caveat  Emptor 

Don’t  assume  anything  based  on  vendor 
claims.  Not  every  product  that’s  called 
“next-gen  firewall”  lives  up  to  that  descrip¬ 
tion,  and  product  capabilities  vary  widely. 
Take  a  hard  look  at: 

Throughput.  What  happens  when  all 
the  security  services  are  enabled?  How  does 
the  appliance  perform  under  a  real-world 
rule  set  tailored  to  your  environment? 

Detection.  Test  to  determine  if  the  ven¬ 
dor  has  made  trade-offs  between  perfor¬ 
mance  and  detection.  IPS  has  historically 
been  marked  by  compromises  in  this  area 
to  keep  up  with  high-speed  networks. 

Integration.  Determine  whether  the 
components  are  truly  integrated  or  just 
colocated.  Integrated  appliances  will  per¬ 
form  a  single  inspection  pass  on  the  firewall 
for  all  components. 

Standard  hardware.  This  is  a  show- 
stopper.  Next-gen  firewalls  require  the 
muscle  of  purpose-built  hardware.  “Beware 
of  people  who  are  overly  reliant  on  general- 
purpose  equipment  to  deliver  all  this  extra 
inspection  and  try  to  defy  the  laws  of  phys¬ 
ics,”  warns  Young. 

Applications.  Vendors  are  likely  to  have 


a  tough  time  keeping  up  with  every  new 
application  and  how  enterprises  will  use 
them.  “Despite  the  fact  that  vendors  aU  have 
long  lists  of  applications  that  they  advertise, 
this  is  probably  where  customers  might  be 
most  disappointed,”  says  Phifer,  because 
it  seems  like  every  day  some  app  is  being 
added  to  Facebook  or  there  is  a  new  capa¬ 
bility  being  added  to  Twitter.  Vendors  will 
constantly  be  playing  catch-up  with  what 
everyone  is  experiencing  live. 

Dos  and  Don’tsfor 
Next-Gen  Firewalls 

DO  understand  the  new  management  par¬ 
adigm.  Policies  and  rules  are  built  around 
applications  and  users,  not  just  ports  and 
protocols,  and  will  be  tightly  tied  to  busi¬ 
ness  practices— authorized  and  ad  hoc— 
that  are  very  different.  However,  once  the 
admins  get  the  knack,  rule  sets  will  be  more 
streamlined  and  specific. 

“There’s  a  learning  curve;  you  come 
to  deal  with  terms  that  are  much  more 
human-understandable,  using  user  names 
and  groups  instead  of  IP  addresses,”  says 
Oded  Gonda,  vice  president  of  network 
security  at  Check  Point.  “It  requires  some 
patience  for  people  used  to  working  in  a 
very  network-centric  role.” 

DO  have  policies  controlling  applica¬ 
tion  use.  Have  at  least  basic  application 
policies  that  can  be  translated  into  rules 
that  take  advantage  of  next-gen  capabilities, 
rather  than  simply  transferring  old  rules 
without  regard  to  what  you  are  now  able  to 
do.  This  enables  users  to  productively  use 
applications  that  may  have  been  banned  or 
severely  restricted. 

“Organizations  that  already  have  a  pol¬ 
icy,  or  goals,  or  a  culture  of  what  they  can  do, 
will  be  much  more  successful,”  says  Young. 
“I  see  a  lot  of  dissatisfaction  when  organiza¬ 
tions  don’t  have  those  policies,  [and  they] 


bring  in  application  control  and  don’t  have 
anything  to  enforce.” 

DO  consider  the  incumbent  vendor. 
Retraining  and  re-creating  your  rule  base 
can  be  a  major  disruption.  While  next-gen 
requires  some  rule  changing,  there’s  gener¬ 
ally  more  headaches  associated  with  chang¬ 
ing  vendors.  If  you  have  a  major  investment 
in  a  firewall  vendor  across  a  large,  distrib¬ 
uted  enterprise,  account  for  the  level  of 
change  you’re  talking  about.  Young  rec¬ 
ommends  planning  for  two-  and  five-year 
windows  with  the  aim  of  reducing  or  elimi¬ 
nating  multiple  firewall  vendors. 

DO  service  branch  offices  as  well  as 
central  locations.  Next-gen  firewalls  from 
the  same  vendor  should  be  deployed  in 
branch  offices.  If  you  have  UTM  appliances 
in  branch  offices,  plan  on  replacing  them 
with  appropriately  sized  appliances  as  you 
bring  in  the  next-gen  technology.  This  will 
allow  central  management,  one-source  ser¬ 
vice  and  uniform  policy  administration. 

DON’T  ignore  the  value  of  applica¬ 
tion  visibility.  There  is  considerable  value 
in  simply  monitoring  application  and  user 
activity  through  the  next-gen  firewall, 
even  if  you  already  have  Web  application 
acceptable-use  policies  in  place.  You  will 
see  activities  and  application  usage  that 
you  may  have  been  unaware  of,  that  will 
help  you  tweak  existing  rules  or  create  new 
rules  and  policies,  and  avoid  restricting  or 
blocking  productive  business  activity. 

“There’s  an  element  of  discovery  in 
terms  of  what  was  going  over  the  wire  that 
helped  me  visualize  potential  threats  or  hot 
spots  I  didn’t  necessarily  anticipate,”  says 
Rahbany. 

DON’T  forget  proprietary  applica¬ 
tions.  These  are  not  the  apps  you’re  going 
to  be  watching  for  unauthorized  activity— 
at  least  not  through  your  firewall— but  you 
want  to  make  sure  you  do  no  harm. 

“It’s  a  bit  of  a  weak  link  for  a  lot  of 
vendors,”  says  Phifer,  “Most  have  some 
methodology  for  identifying  them.”  She 
recommends  taking  a  sampling  of  propri¬ 
etary  applications,  crafting  rules  and  poli¬ 
cies,  and  finding  out  whether  there  is  a  risk 
of  blocking  legitimate  apps  or  generating 
false  positives.  ■ 


Neil  Rotter  is  a  frequent  contributor  to  CSO. 
Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com 
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Are  You  an 
IT  Security 

IBJB  r  II ' 


An  astonishing  number  of  survey  respondents  believe  they  are 
IT  security  leaders.  But  what  does  it  really  take  to  be  a  leader, 
and  how  does  your  organization  stack  up?  By  George  V.  Hulme 


surprisingly  high-unrea- 
sonably  high,  in  fact— num¬ 
ber  of  organizations  think 
their  security  program  is 
part  of  the  vanguard  of  risk 
management. 

That  was  one  surprising 
finding  of  this  year’s  annual 
Global  Information  Secu¬ 
rity  Survey,  conducted  by  CSO  and  CIO 
magazines  in  partnership  with  Pricewater- 
houseCoopers.  More  than  9,600  business 
and  technology  executives  from  around 
the  world  took  the  survey,  and  43  percent  of 
those  surveyed  believe  their  organizations 
are  IT  security  leaders.  The  other  catego¬ 
ries  respondents  could  choose  from  were 
strategist,  tactician  and  follower. 

Obviously  those  enterprises,  by  defini¬ 
tion,  can’t  all  be  at  the  forefront  of  security. 
“Most  of  these  ‘leaders,’  in  my  opinion,  have 
a  false  sense  of  their  level  of  security,”  says 
Mark  Lobel,  a  principal  in  the  advisory  ser¬ 
vices  division  of  PwC. 


Ahead  of  the  Bell  Curve 

In  an  attempt  to  identify  the  organizations 
that  might  actually  be  information  security 
leaders,  PwC  filtered  the  results  according 
to  conditions  it  felt  would  qualify  a  company 
to  deserve  the  label. 

■  First,  the  CISO  had  to  report  directly  to 
a  senior  executive. 

■  Second,  the  organization  had  to  have 
an  IT  security  strategj'^  in  place  and  the 
ability  to  execute  that  strategy. 

■  Third,  it  had  to  have  reviewed  its  secu¬ 
rity  policy  in  the  past  year. 

■  And  finally,  if  the  company  had  suf¬ 
fered  a  data  breach,  it  had  to  know  the 
breach’s  cause. 

Under  those  criteria,  less  than  S  per¬ 
cent  of  respondents’  organizations  actually 
made  the  cut. 

About  half  of  respondents  reported  suf¬ 
fering  one  or  more  breaches,  and  a  third 
said  they  weren’t  breached  in  the  past  year. 

About  8  percent  couldn’t  tell  whether 
they  had  been  breached  or  not.  The  good 


43% 

believe  their 
organizations  are  IT 
security  “leaders” 


news  from  those  figures  is  that  a  growing 
number  of  companies  believe  they  under¬ 
stand  the  security  events  happening  on 
their  networks,  and  know  what  applica¬ 
tions  or  systems  were  infiltrated. 

However,  that  confidence  doesn’t  align 
with  the  increased  sophistication  of  mal¬ 
ware  in  recent  years.  “In  our  engagements 
and  my  conversations  with  peers,  we  are 
dealing  with  more  organizations  that  are 
grappling  with  international  infiltration,” 
says  Shawn  Moyer,  practice  manager  of 
research  consulting  at  Accuvant  Labs. 
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(For  more  on  this  topic,  see  “Customized, 
Stealthy  Malware  Growing  Pervasive”  at 
wti)w.csoonline.com/article/677S4i).  “Every 
network  we  monitor,  every  large  customer, 
has  some  kind  of  customized  malware  infil¬ 
trating  data  somewhere,”  Moyer  says. 

“I  think  there  are  a  lot  of  executives  out 
there  with  a  false  sense  of  security,”  says 
one  security  manager  at  a  Midwest  manu¬ 
facturing  firm.  “In  our  company,  many 
upper  managers  simply  choose  to  believe 
the  reports  that  come  in  from  the  different 
regions.  If  those  reports  say  that  the  sys¬ 
tems  are  tight  and  secure,  then  that  is  man¬ 
agement’s  working  assumption.” 

So  it  seems  many  organizations  are 
overconfident  about  their  security  posture. 
What  attributes,  then,  does  an  IT  security 
program  need  to  have  to  truly  be  ahead  of 
the  pack? 


85% 

employ  a  CISO  or  CSO 


“From  a  maturity  perspective,  if  you 
have  a  senior  manager  or  a  junior  execu¬ 
tive  who  is  designated  as  a  security  lead, 
that’s  my  number-one  criterion,”  says  Eric 
Cowperthwaite,  CSO  at  Providence  Health 
and  Services.  Before  you  can  consider  your 
organization  on  the  leading  edge,  “you  have 
to  have  a  security  front-person,  who’s  rec¬ 
ognized  as  such  in  your  organization,  and  is 
high  enough  up  in  the  organization  to  have 
actual  authority,”  he  says.  “Number  two  is 
to  have  a  strategy,  not  just  a  road  map  for 


what  technologies  you  are  going  to 
deploy,  but  a  strategy  for  how  you 
are  going  to  secure  and  protect  your 
systems  and  data,”  Cowperthwaite 
adds,  an  assessment  that  largely 
parallels  PwC’s  definition. 

The  semantics  of  titles  aren’t  a 
major  concern.  Andy  Ellis,  CSO  at 
Akamai  Technologies,  says,  “I  don’t 
think  it  matters  what  title  you  have.  What 
matters  is  that  you  are  efficiently  reducing 
your  risk  according  to  your  organization’s 
business  requirements.” 

That’s  hard  to  argue  against,  but  few 
survey  respondents  could  pass  Ellis’  litmus 
test  because  so  few  are  actually  testing  their 
security  efforts.  Consider  this;  While  63 
percent  of  respondents  have  an  overall  IT 
security  strategy  and  85  percent  employ  a 
CISO  or  CSO,  half  or  less  of  those  surveyed 


LAGGARD 
TO  LEADER: 
WHAT  IT 
TAKES  TO 
GET  THERE 

What  are  the  best  ways  for 
strategists,  tacticians  and 
followers  to  become  IT  security 
leaders  with  mature  processes? 

How  do  organizations  move  from  lag¬ 
ging  in  their  IT  security  program  to 
leading?  They  must  put  an  effective 
strategy  in  place,  consistently  meet 
that  strategy,  and  have  good  visibility  into 
the  security  events  in  their  infrastructure. 
Looks  good  on  paper,  but  how  do  you  get 
there?  CiSOs  say  it  boils  down  to  executive 
vision  and  support. 

However,  according  to  the  survey 
responses,  security  professionals  are 
focused  more  on  technologies  and  less  on 
integrating  security  processes  throughout 
the  business. 


For  instance,  only  48  percent  report 
linking  security,  via  organizational  struc¬ 
ture  or  policy,  to  privacy  or  regulatory 
compliance.  And  only  46  percent  employ 
dedicated  security  personnel  who  support 
internal  business  departments. 

Those  are  just  two  examples  of  the 
disconnect.  Others  include  not  align¬ 
ing  security  spend  with  real-world 
business  risk  and  not  having  healthy 
lines  of  communication  with  executive 
leadership.  Part  of  the  problem,  security 
industry  experts  say,  is  of  IT  security’s 
own  making.  “Many  security  profession¬ 
als  do  not  behave  as  if  they  are  a  critical 
business  function.  Instead  of  discuss¬ 
ing  business  risk,  they  discuss  attack 
techniques  and  technologies,”  says  Eric 
Cowperthwaite,  CSO  at  Providence  Health 
and  Services. 

That  communication  problem,  says 
Daniel  Kennedy,  research  director  for 
information  security  and  networking  at 
the  research  firm  TheInfoPro,  is  largeiy  a 
by-product  of  an  old  story:  Organizations 
promote  highly  technical  personnel  to 
what  should  really  be  a  business-manage¬ 
ment  role. 

“They  figure,  ‘That’s  the  person  who 
managed  the  firewall,  therefore  let’s 


make  them  the  CISO,”’  says  Kennedy. 
“There  has  to  be  some  consideration  that 
there  are  people  out  there  who  are  good 
communicators,  good  senior  executives, 
and  then  there  are  people  for  whom  that’s 
not  in  line  with  their  capabilities,”  he 
says. 

“I  speak  with  other  companies  all 
the  time,  and  there  are  many  CISOs  with 
that  title,  but  their  real  strategy  is  to 
make  their  firewalls  run  better,  so  they’re 
always  working  at  a  low  tactical  level,” 
says  Providence  Health’s  Cowperthwaite. 

That  means  to  move  from  laggard  to 
leader,  more  enterprises  need  to  elevate 
the  CSO  position  from  a  tactical  level  to 
the  level  of  a  business  risk  adviser. 

TheInfoPro’s  Kennedy  says  that  to  get 
there,  the  first  step  is  to  build  credibility. 

“If  rhanagement  doesn’t  trust  the 
CISO,  then  they  don’t  have  the  right  guy. 
The  security  leader  is  someone  function¬ 
ing  on  the  executive  level,  someone  who 
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50% 

or  less 


are  actively 
evaluating  their 
security  erforts 


are  evaluating  their  efforts.  For  example, 
while  63  percent  said  they  have  an  overall 
information  security  strategy,  about  40 
percent  said  they’ve  established  security 
baselines  for  external  partners,  and  only  43 
percent  have  centralized  security  informa¬ 


tion  management  processes.  Similarly  low 
percentages  of  survey-takers  have  identity- 
management  strategies  (41  percent),  busi¬ 
ness-continuity  or  disaster-recovery  plans 
(39  percent),  or  risk-based  authentication 
systems  (34  percent). 

Business  Impact 

Companies  that  don’t  have  a  security  leader, 
a  strategy,  and  the  ability  to  execute  that 
strategy  and  measure  their  execution  are 
likely  to  suffer  more  breaches  than  others— 
that  seems  obvious.  But  they  may  also  be 
losing  more  business. 

That’s  the  argument  made  by  Douglas 
Davidson,  president  and  CEO  of  security 
services  provider  Jacadis.  “Clearly,  they 
miss  [business]  opportunities.  We  have 
small  businesses  that  we  work  with  that 
have  been  driven  to  follow  a  [standards] - 


can  speak  IT  in  business  terms,  and 
somebody  who  really  effects  cultural 
change  in  the  company,”  he  says.  “That 
means  there  should  be  a  difference 
between  the  day  they  started  and  a  year 
and  a  half  later  in  terms  of  the  way  the 
company  views  security.  If  they’re  not 
getting  that,  you  don’t  have  a  security 
leader.  What  you  have  is  somebody  who 
is  sort  of  just  sitting  around  in  the  role,” 
says  TheInfoPro’s  Kennedy. 

That  trust,  in  combination  with  execu¬ 
tive  leadership,  will  go  a  long  way  toward 
getting  the  security  budget  and  resources 
needed  to  build  a  solid  program. 

But  it’s  not  enough.  Experienced  pros 
say  that  the  CISC  who  can  build  a  world- 
class  program  has  to  first  be  an  expert 
on  the  industry  they’re  in  and  how  their 
organization  functions  in  that  industry. 
That’s  why  Cowperthwaite  advises  CISOs 
to  learn  the  nature  of  their  business.  “If 
you  want  to  be  the  CISO  of  the  company, 
then  somebody  else  can  go  talk  about 
bits  and  bytes  with  your  networking 
equipment  provider  while  you  figure  out 
what  the  company’s  strategy  is  and  how 
you  fit  into  it,”  he  says.  “You  can  do  that 
better  by  getting  to  know  the  business 
inside  out,”  he  says.  “If  you  work  in 


transportation,  you  have  to  go  out  in  the 
road  with  the  drivers.  See  how  everyone 
works  and  what  they  need  to  get  their 
jobs  done.  If  you’re  a  hospital,  watch  how 
staff  actually  works.” 

Finally,  to  be  security  leaders, 
enterprises  need  to  start  measuring  their 
efforts  so  that  they  can  improve  over 
time.  Pete  Lindstrom,  research  director 
at  Spire  Security,  says  a  good  place  to 
start  is  with  operational  metrics.  Those 
would  include  commonly  repeated  tasks 
such  as  user  provisioning,  account  man¬ 
agement,  and  time  from  vulnerability 
discovery  to  remediation.  The  measure¬ 
ments  can  also  be  risk-based,  such  as 
vulnerability-management  efforts.  “The 
important  thing  is  to  start  measuring 
what  you  can  measure,  and  build  the 
metrics  you  can  track  over  time,”  Lind¬ 
strom  says. 

While  most  organizations  still  lack  a 
cohesive  security  strategy  and  an  ability 
to  execute  on  that  strategy,  it’s  clear  that 
it’s  not  beyond  their  reach  to  develop 
those  things.  Security  management 
needs  to  be  in  a  position  of  authority, 
integrate  itself  into  the  business  and 
continuously  measure  and  improve  upon 
its  own  efforts.  -G.V.H. 


About 

8% 

couldn’t  tell 
whether  they  had 
been  breached  in 
the  past  year 


based  security  program  by  their  bigger 
customers  and  business  partners.  They’ve 
actually  gained  revenues  because  they’ve 
created  a  competitive  advantage  through 
the  security  they  put  in  place,”  he  says. 

How  can  security  drive  revenue?  By 
using  secure  processes  to  gain  partner  and 
customer  trust,  and  even  to  deliver  new 
services  to  clients.  Davidson  cites  a  recent 
example:  “There  were  several  banks  that 
needed  the  ability  to  send  paper  statements 
for  printing,  but  most  of  the  printers  in  the 
area  were  not  able  to  secure  the  necessary 
processes.  This  one  printer  was  able  to 
build  proper  security  around  their  services. 
They  then  won  the  banks’  business  and 
were  able  to  go  out  and  sell  that  capability 
to  other  customers,”  Davidson  says. 

That  anecdote  shows  that  IT  secu¬ 
rity  isn’t  a  discipline  practiced  within  a 
business;  it’s  an  integral  part  of  the  busi¬ 
ness.  “For  any  significantly  sized  company, 
information  security  is  a  critical  business 
function  because  information  manage¬ 
ment  is  a  critical  business  function,”  says 
Cowperthwaite. 

Now  if  only  more  businesses  would 
act  as  if  IT  security  is  critical  to  their  busi¬ 
ness— or  at  least  live  up  to  their  own  mental 
images  of  their  security  efforts.  ■ 


George  V.  Hulme  is  a  security  and  technology 
writer  based  in  Minneapolis.  Send  feedback  to 
editor  Derek  Slater  at  dslater@cxo.com. 


Watch  for  our  next  issue 
for  more  survey  findings, 
including  data  about  specific 
gaps  in  prevention  programs. 
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SOCIAL  NETWORKING 


Facial 

Recognition  and 
Social  Media 
Meet  in  the 
Shadows 


starting  with  just 
a  Facebook  profile 
 researchers 
obtain  Social 
Security  numbers 
and  other  sensitive 
information.  Richard 
Power  interviews 
Alessandro  Acquisti. 


ing  of  personal  information  are  mind-boggling. 


Imagine  having  access  to  the  political  views,  sexual  prefer¬ 
ences,  relationships,  tastes,  foibles,  emotional  states  and  work¬ 
place  attitudes  of  a  billion  people. 


An  effort  to  collect  such  data  on  behalf  of  a  government,  or 
a  corporation,  or  a  geopolitical  alliance,  or  an  industrial  sec¬ 
tor,  or  even  a  seemingly  benign  world  organization  would  meet 
with  fierce  opposition.  It  would  be  difficult,  if  not  impossible;  it 
would  require  lawyers,  money  and  maybe  even  guns. 


But  in  the  era  of  social  media,  an  extraordinary  and  rapidly 
growing  number  of  us  have  been  willingly  posting  such  sen¬ 
sitive  information  (or  at  least  the  keys  to  unlocking  it)  online, 
where  it’s  available  either  directly  or  indirectly  to  marketers, 
stalkers,  reporters,  law  enforcement,  private  investigators, 
human  resources  personnel  and  rivals  in  love,  business  or 
politics,  whether  it’s  obtained  by  subterfuge  or  inference  or 
subpoena,  whether  legally  or  illegally,  whether  ethically  or 
unethically. 


It  is  all  out  there  now,  and  not  just  spread  across  cyberspace 
in  fragments.  No,  it’s  happily,  willingly  offered  up  in  an  orga¬ 
nized  way. 


Consider,  for  example,  the  Facebook  profile  photo. 

No  matter  how  tightly  you  zip  up  your  Facebook  account. 


Illustration  by  Greg  Mably 
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people  who  you  have  not  friended  can  see 
your  profile  photo.  And  isn’t  that  the  point 
for  most  of  us— not  just  to  share  status 
updates,  photos,  videos,  likes  and  com¬ 
ments  with  our  current  circle  of  friends  and 
colleagues,  but  to  expand  that  circle? 

But  what  if  a  stranger  on  the  street  could 
snap  a  smartphone  photo  of  you,  and  then 
use  facial-recognition  software  to  match  it 
to  a  profile  photo  on  Facebook,  and  then 
learn  your  name  and  your  date  of  birth, 
who’s  in  your  circle  of  friends,  and  other 
such  data? 

What  if  that  stranger  could  then  take 
some  of  that  data  and  guess  your  Social 
Security  number  from  it,  granting  them 
unrestricted  access  to  the  most  sensi¬ 
tive  details  of  your  financial  and  medical 
information? 

Well,  it  is  possible,  as  The  Economist 
(which  broke  this  story)  recounts: 

“By  mining  public  sources,  including 
Facebook  profiles  and  government  data¬ 
bases,  the  researchers  could  identify  at 
least  one  personal  interest  of  each  student 
and,  in  a  few  cases,  the  first  five  digits  of 
a  social  security  number.  All  this  helps 
to  explain  concerns  over  the  use  of  face- 
recognition  software  by  the  likes  of  Google 
and  Facebook,  which  have  been  acquiring 
firms  that  specialize  in  that  technology,  or 
licensing  software  from  them.  (Google 
recently  snapped  up  Pittsburgh  Pattern 
Recognition,  the  firm  which  owns  the 
programme  the  researchers  used  for  their 
tests.)  Privacy  officials  in  Europe  have  said 
they  will  scrutinise  Facebook’s  use  of  face- 
recognition  software  to  help  people  ‘tag,’ 
or  identify,  friends  in  photos  they  upload. 
And  privacy  campaigners  in  America  have 
made  a  formal  complaint  to  regulators. 
(Facebook  notes  that  people  can  opt  out  of 
the  photo-tagging  service  by  altering  their 
privacy  settings.)” 

Yes,  Alessandro  Acquisti  and  Ralph 
Gross,  the  two  Carnegie  Mellon  University 
researchers  who  rocked  the  world  a  couple 
of  years  ago  with  their  blockbuster  study 
proving  that  Social  Security  numbers  could 
be  guessed,  have  done  it  again. 

The  experiment  that  yielded  the 
information  on  a  study  subject’s  Social 
Security  numbers  was  the  third  of  three 
experiments. 

The  first  experiment  was  about  online- 
to-online  re-identification.  The  researchers 


“When  I  can  recognize 
your  face  in  the  street, 
using  a  face  recognizer, 
and  also  find  your 
Facebook  profile  that 
way,  I  cannot  only 
identify  you,  but 
also  infer  additional 
sensitive  information 
about  you.” 

-ALESSANDRO 

ACQUISTI 

showed  that  they  could  identify  a  signifi¬ 
cant  proportion  of  users  of  a  popular  dating 
site  by  taking  unidentified  profiles  from  the 
site  (where  people  use  pseudonyms  to  pro¬ 
tect  privacy)  and  comparing  them,  using 
facial  recognition,  to  identified  profiles  on 
Facebook  (without  even  logging  onto  the 
network  itself;  they  simply  used  the  parts 
of  the  Facebook  profiles  they  could  see 
using  a  search  engine). 

The  second  experiment  was  about 
offline-to-online  re-identification.  It  was 
conceptually  similar  to  the  first  experi¬ 
ment,  but  the  researchers  tried  to  identify 
students  on  the  Carnegie  Mellon  University 
campus  after  taking  three  shots  of  them 


with  a  cheap  webcam.  It  took  on  average 
three  seconds  to  identify  more  than  32  per¬ 
cent  of  the  students  photographed. 

Acquisti,  one  of  the  co-authors  of  the 
study,  presented  the  results  of  the  study  at 
Black  Hat  Briefings  (where  else?)  on  Aug.  4. 
Acquisti  is  a  colleague  of  mine  at  Carnegie 
Mellon  University  CyLab,  an  advanced 
academic  research  program  exploring  21st 
Century  cybersecurity  and  privacy.  He  is 
also  an  associate  professor  of  information 
technology  and  public  policy  at  Carnegie 
Mellon’s  Heinz  College. 

We  recently  sat  down  to  conduct  this 
interview  for  the  readers  of  CSO. 

Power:  Tell  us  about  this  study.  How  did 
it  come  about?  What  are  the  intersecting 
trends  that  drew  you  and  your  co-research- 
ers  to  look  into  this  issue? 

Acquisti:  We  actually  started  thinking 
about  this  study  six  years  ago.  Ralph  Gross 
and  I  had  written  what  turned  out  to  be 
the  first  peer-reviewed  published  article 
about  Facebook  (“Information  Revelation 
and  Privacy  in  Online  Social  Networks”). 
Facebook  was  very  young  at  the  time,  but 
its  members  were  already  revealing  lots 
of  personal  information,  and  in  particu¬ 
lar,  identified  primary  profile  photos.  We 
thought  that  this  could  lead  to  visual  re¬ 
identification,  but  we  only  started  serious 
work  on  this  idea  after  completing  another 
one  of  our  studies,  the  one  about  predicting 
Social  Security  numbers  from  public  data, 
including,  in  fact,  Web  2.0  profiles. 

In  your  presentation,  you  mention  that 
Facebook  may  be  evolving  into  a  default 
real  ID.  Explain. 

Facebook  users  tend  to  create  profiles 
under  their  real  first  and  last  names.  This 
is  due  to  a  combination  of  reasons.  First, 
when  Facebook  started,  it  was  a  campus- 
based  social  network,  where  members  felt 
they  shared  something  in  common.  There¬ 
fore  members  felt  more  comfortable  using 
their  real  identities,  as  compared  to  behav¬ 
ior  on  MySpace  or  Friendster  at  the  time. 
Of  course,  that  Facebook  community  is  in 
reality  very  much  open— we  call  it  an  imag¬ 
ined  community  in  one  of  our  papers.  Sec¬ 
ond,  as  Facebook  expanded  outside  college 
networks,  it  realized  that  forcing  a  verified 
identity  policy  was  good  business;  it  meant 
better  data  on  members  and  consumers.  As 
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a  result,  according  to  some  of  our  estimates, 
about  90  percent  of  Facebook  users  use 
their  real  identities  on  the  network.  If  you 
combine  this  fact  with  another  one— that 
the  vast  majority  also  use  frontal  face  pho¬ 
tos  of  themselves  as  their  primary  profile 
photos  (which,  by  the  way,  Facebook  makes 
visible  to  all  by  default)— you  end  up  with  a 
de  facto  real  ID. 

Tell  us  what  you  mean  by  '^augmented  real¬ 
ity'’  and  what  this  research  shows  us  about 
its  consequences  and  implications? 

We  use  the  term  “augmented  reality”  in  an 
expanded  sense,  to  refer  to  the  merging  of 
online  and  offline  data  that  new  technolo¬ 
gies  make  possible.  When  I  can  recognize 
your  face  in  the  street,  using  a  face  recog¬ 
nizer,  and  also  find  your  Facebook  profile 
that  way,  I  can  not  only  identify  you,  but 
also  infer  additional  sensitive  information 
about  you  (such  as,  in  our  third  experiment, 
your  Social  Security  number).  Essentially, 
we  start  from  an  anonymous  face  in  the 


street,  and  we  end  up  with  very  sensitive 
information  about  that  person.  This  is  the 
kind  of  future  we  are  walking  into  whether 
we  like  it  or  not,  and  the  consequences  and 
implications  of  this  seamless  blending  of 
online  and  offline  data  are  anybody’s  guess. 

You  also  mentioned  scalability  issues  in 
your  presentation,  in  what  ways  may  seal- 
ability  affect  this  trend? 

As  of  today,  automated  face  recognition  is 
still  pretty  bad,  but  it  keeps  improving.  If 
you  look  at  the  technological  trends  in  cloud 
computing,  the  accuracy  of  face  recognizers, 
and  online  self-disclosures,  it  is  hard  not  to 
conclude  that  what  we  present  today  as  a 
proof-of-concept  in  our  study  will  tomor¬ 
row  become  as  common  as  everyday  text- 
based  searches  on  a  search  engine. 

What  are  the  immediate  or  near-term  impli¬ 
cations  of  this  study  for  users  of  Facebook 
and  sociai  media,  both  personally  and 
professionally?  And  likewise,  what  are  the 


immediate  or  near-term  implications  for 
organizations  in  regard  to  their  workforce? 
What  do  governments  and  advocacy  groups 
need  to  get  their  minds  around  in  regard  to 
these  technological  capabilities? 

There  is  no  obvious  answer  or  solution 
to  the  privacy  concerns  raised  by  widely 
available  facial  recognition.  Google’s  Eric 
Schmidt  observed  that,  in  the  future,  young 
people  may  be  inclined  to  change  their 
names  to  disown  youthful  improprieties.  It 
is  much  harder,  however,  to  change  some¬ 
one’s  face.  Other  than  adapting  to  a  world 
where  every  stranger  in  the  street  could 
quite  accurately  predict  your  credit  score 
and  sexual  orientation,  we  need  to  think 
about  policy  solutions  that  can  balance 
the  benefits  and  risks  of  peer-based  facial 
recognition.  Self-regulation  is  not  going  to 
work.  ■ 


Richard  Power  is  a  Distinguished  Fellow  at 
Carnegie  Mellon  CyLab.  Contact  Editor  Derek 
Slater  at  dslater(g)cxo.coni. 
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ON  THIS  BATTLEFIELD, 

EDUCATION  IS  YOUR  BEST  DEFENSE. 


Cyber  attacks  are  being  waged  all  over  the 
world,  creating  an  unprecedented  demand  for 
trained  professionals  to  protect  our  country's 
data  assets  and  develop  cybersecurity  policies. 
Help  meet  the  demand  with  a  bachelor's  or 
master's  degree  in  cybersecurity.  Whether  you 
plan  to  work  for  Cyber  Command  taking  down 
cyber  terrorists  or  for  private  industry  battling 
hackers,  UMUC  can  help  you  make  it  possible. 

•  Designated  as  a  National  Center  of  Academic 
Excellence  in  Information  Assurance  Education 
by  the  NSAand  DHS 

•  BS  and  MS  in  cybersecurity  and  MS  in 
cybersecurity  policy  available 

•  Programs  offered  entirely  online 

•  Interest-free  monthly  payment  plan  available, 
plus  financial  aid  for  those  who  qualify 


[  INDUSTRY  view] 

By  Frank  Villavicencio,  EVP,  Identropy 


Top  10  Identity-Management 
Metrics  that  Matter 


Within  the  IT  security 
community,  identity- 
and  access-management 
(lAM)  initiatives  are 
considered  high  value, 
but  are  notoriously  problematic  to  deploy. 
Yet  despite  lAM’s  complexity,  it  represents 
30  percent  or  more  of  the  total  information 
security  budget  of  most  large  institutions, 
according  to  IDC  (a  sister  company  to  CSO’s 
pubUsher). 

Ironically,  the  deployment  difficulties 
stem  from  having  to  reconcile  the  very 
people  and  process  breakdowns  lAM  auto¬ 
mation  is  meant  to  solve,  such  as  too  many 
or  too  few  people  involved  in  authorizing 
requests,  a  lack  of  documentation  for  access 
requests  and  approvals,  connecting  to  tar¬ 
get  systems  with  “dirty”  or  obsolete  data, 
and  so  on.  This  conundrum  has  led  to  the 
rise  of  what  is  called  identity  governance. 

Identity  governance  involves  defining 
and  executing  the  identity-related  busi¬ 
ness  processes  that  are  most  critical  to  the  * 
organization.  For  example,  an  engineer 
needs  root  access  to  the  server  hosting  an 
ERP  system— who  needs  to  approve  that 
request?  Who  is  the  one  who  actually  takes 
the  action  that  grants  that  access?  How 
does  that  process  get  documented?  Where 
is  it  stored,  and  for  how  long?  How  can  we 
report  on  it  during  an  audit? 

Getting  your  organization’s  governance 
processes  locked  in  is  a  tall  order,  but  well 
worth  it.  One  of  the  many  benefits  of  proper 
identity  governance  is  that  it  pinpoints 
which  identity-related  processes  are  most 
in  need  of  attention.  Here  are  10  of  the  most 
common  measurements  for  gauging  the 
effectiveness  of  identity  governance. 

1.  Password  reset  volume  per  month. 
This  one  is  a  classic  in  identity  manage¬ 


ment,  and  it’s  key  to  helping  organizations 
measure  the  effectiveness  of  their  lAM 
programs.  Businesses  typically  look  at 
password-related  help  desk  calls,  account 
lockouts,  and  self-service  resets  per  month 
as  good  indicators  of  password-policy 
effectiveness.  This  metric  should  gener¬ 
ally  trend  downward,  alhough  there  may 
be  peaks  and  valleys  driven  by  business 
events.  If  it  doesn’t,  your  organization’s 
password  policies  and  management  tools 
require  a  closer  look. 

2.  Average  number  of  distinct  creden- 
tiais  per  user.  Another  lAM  classic,  and 
for  years,  a  key  business  justification  for 
single  sign-on  (SSO)  initiatives.  The  indus¬ 
try  average  ranges  from  10  to  12  unique 
accounts  per  user.  Organizations  should 
strive  to  bring  this  average  down  as  close  to 
one  as  possible. 

3.  Number  of  uncorreiated  accounts. 

These  are  accounts  that  have  no  owner,  and 
occur  most  frequently  when  a  change  hap¬ 


pens,  such  as  a  promotion 
or  a  termination,  and  that 
person’s  accounts  were 
not  transitioned  properly. 
Too  many  uncorrelated 
accounts  can  lead  to  unnec¬ 
essary  risks— they  are 
open,  live  accounts  that  can 
be  easily  hijacked  for  un¬ 
authorized  use. 

4.  Number  of  new 
accounts  provisioned.  This 
number  should  closely 
follow  the  number  of  new 
joiners  to  the  organization. 
An  effective  lAM  program 
should  always  account  for 
any  new  user  who  needs  to 
be  granted  access  to  systems 
and  applications.  If  there’s 
a  discrepancy  or  a  significant  lag  between 
the  number  of  provisioned  accounts  and 
the  total  number  of  new  joiners  for  a  given 
period,  that  indicates  inefficient  processes 
or  poor  identity  data. 

5.  Average  time  it  takes  to  provision  or 
de-provision  a  user.  This  shows  how  long  a 
new  user  waits  to  get  access  to  the  resources 
they  need  to  do  their  work.  It  has  implicit 
productivity  and  ROI  ramifications.  Nine 
times  out  of  10,  if  someone  doesn’t  get  access 
to  applications  in  a  timely  fashion,  there  are 
process  issues  behind  the  delay.  This  metric 
can  flag  a  business  process  that  needs  to  be 
reviewed  and  possibly  adjusted. 

6.  Average  time  it  takes  to  authorize  a 
change.  This  metric  can  provide  insight  into 
the  efficiency  of  an  organization’s  approval 
processes.  For  example,  if  there  are  four 
people  involved  in  approving  a  sales  rep’s 
access  to  Salesforce.com,  but  it  takes  two 
weeks  for  that  approval  to  be  granted,  that’s 
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two  weeks  the  sales  rep  is  limited  in  his 
capacity  to  sell.  Knowing  how  long  it  takes 
for  approvals  to  be  granted  can  help  iden¬ 
tify  bottlenecks  or  out-of-date  processes. 

7.  Number  of  system  or  privileged 
accounts  without  an  owner.  These  are  also 
known  as  orphaned  accounts.  They  crop 
up  when  people  who  had  the  credentials  to 
grant  them  access  to  important  resources— 
making  them  privileged  users— no  longer 
need  access  to  those  resources  but  never 
had  their  privileges  removed.  This  prob¬ 
lem  here  is  obvious— who  wants  privileged 
accounts  that  don’t  belong  to  anyone  float¬ 
ing  around? 

8.  Number  of  exceptions  per  access  re¬ 
certification  cycle.  A  high  number  of  excep¬ 
tions  is  expected  for  new  applications  or 
user  sets  being  brought  under  governance, 
but  over  time  this  should  trend  toward  zero. 
A  consistently  high  number  of  exceptions 
is  a  strong  indicator  of  poor  identity  data 
quality  (that  is,  lots  of  users  having  access 
that  they  should  not  have),  or  of  process 


problems  (that  is,  the  person  requesting  re¬ 
certification  does  not  have  all  the  informa¬ 
tion  they  need  to  complete  the  process.) 

9.  Number  of  reconciliation  exceptions. 

Reconciliation  exceptions  are  typically 
caused  be  the  inability  of  an  lAM  platform 
to  reliably  tie  an  identity  to  an  account  in  a 
target  system.  This  is  usually  the  result  of 
manual  entry  errors  (that  is,  user  names 
or  unique  identifiers  are  not  matched),  or 
worse  yet,  of  an  account  created  by  back¬ 
door  channels.  These  exceptions  should 
trend  toward  zero  over  time,  and  any  spikes 
should  trigger  a  thorough  investigation  and 
further  discussion. 

10.  Separation  of  duty  violations. 

Examples  of  separation  of  duty  violations 
include  developers  who  have  admin  access 
to  production  databases  and  traders  who 
can  submit  and  approve  their  own  trans¬ 
actions.  These  are  more  difficult  to  catch 
and  measure,  given  their  sophistication 
and  cross-application  nature,  but  are  also 
the  riskiest  to  miss,  given  the  potential 


damage  that  could  be  inflicted  if  they’re 
exploited.  Exploitations  of  these  problems 
are  the  kind  that  often  make  headlines.  The 
organization  should  implement  preventive 
controls  to  monitor  these  violations,  report 
them  and  orchestrate  their  remediation. 

It’s  often  hard  to  understand  the  scope 
and  ramifications  of  these  kinds  of  people 
and  process  breakdowns  until  you  take 
concrete  steps  to  address  them.  That  is  part 
of  the  reason  lAM  and  identity  governance 
are  perceived  as  daunting  and,  at  times, 
painful.  But  only  with  metrics  can  the 
organization  measure  its  effectiveness  and 
success  in  efficiently  managing  user  access, 
and  make  the  necessary  adjustments  to 
reap  significant  security,  compliance  and 
operational  benefits.  If  you  have  started  an 
identity  governance  initiative,  do  your  best 
to  track  some  of  these  metrics— you’ll  be 
glad  you  did.  ■ 


Frank  Villavicencio  leads  Identropy’s  Managed 
Identity  Services  business. 
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The  #1  issue  for  companies  migrating  to  the  cloud  is  identity  and  access  management. 

But  for  the  agile  business, /cnoi/iz-ing  users  is  always  better  than  no-ing  them. 

In  fact,  agile  businesses,  using  our  Content-Aware  Identity  and  Access  Management  solutions, 
have  been  able  to  reduce  security  risk  while  improving  productivity,  access  and  efficiency.  More 
effective  compliance,  reduced  IT  risk,  broader,  more  secure  customer  and  partner  relationships. 

That’s  what  happens  when  no  becomes  know.  And  security  turns  into  agility. 


To  see  how  we  can  help  make  your  business  more  agile  and  secure,  visit  ca.com 
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Avigilon’s  end-to-end  surveillance  solutions 
give  you  image  detail  no  other  system  can  match 


CAPTURE  IT  WITH  CLARITY 


Get  unprecedented  clarity  with  the  Avigilon  Control  Center  software  featuring  High-Definition 
Stream  Management  (HDSM)  technology,  and  the  broadest  range  of  megapixel  cameras  - 

from  1  to  29  MP.  Our  scalable  surveillance  solutions  require  minimal  bandwidth  and  storage  QVIGI LOH 

THE  BEST  EVIDENCE' 

while  producing  the  very  best  image  quality.  And  that  means  you  always  get  the  best  evidence. 


